Hackers Can Abuse Microsoft Excel Power Query For Malware Attacks

Researchers have found a way to abuse Microsoft Excel for malware attacks. The strategy involves exploiting the Microsoft Excel Power Query feature to wage Dynamic Data Exchange (DDE) attacks and deliver malware. At present, no fix is available to patch the flaw.

Microsoft Excel Power Query Abuse

Researchers at Mimecast have reported a possible technique to abuse Microsoft Excel Power Query feature. Power Query is a scalable tool available as a separate add-on for older Microsoft Excel versions. Whereas, the modern Excel versions have this tool as a built-in feature. Power Query allows users to integrate various data sources with spreadsheets and dynamically download data for analysis. As described by Microsoft,

Power Query is a data connection technology that enables you to discover, connect, combine, and refine data sources to meet your analysis needs… With Power Query, you can search for data sources, make connections, and then shape that data (for example remove a column, change a data type, or merge tables) in ways that meet your needs.

According to the researchers, a potential attacker can abuse this feature for delivering malware by embedding malicious codes to a datasheet. Upon opening the datasheet, the malicious code would run on the target system executing the malware. As stated in their blog post,

Such attacks are usually hard to detect and gives threat actors more chances to compromise the victim’s host. Using the potential weakness in Power Query, attackers could potentially embed any malicious payload that as designed won’t be saved inside the document itself but downloaded from the web when the document is opened.

They also demonstrated a DDE exploit abusing Power Query for which they have shared the details in their blog post.

Microsoft Recommends A Workaround – No Fix Yet

Upon finding a successful exploit technique, Mimecast reached out to Microsoft to report the matter. Nonetheless, Microsoft, according to the researchers, said their was no fix.

However, they advised a workaround to mitigate the attack. In a recent advisory, Microsoft has explained how users can safely open Microsoft Documents (both Excel and Word files) containing the DDE field.

In 2017, researchers from Sensepost also reported a similar attack method abusing Microsoft Word.